INTENT OF THIS DOCUMENT: Canon recognizes the importance of information security and the challenges that your organization faces. This white paper provides information security facts for Canon imageRUNNER/ imagePRESS series devices. It provides details on Canon’s security position for networked and stand-alone environments, as well as an overview of Canon’s device architecture, framework and product technologies as related to document and information security. This white paper is primarily intended for administrative personnel responsible for the configuration and maintenance of Canon MFP devices. The information in this document, in conjunction with other best practices, may be used as guidance to help improve your organizations overall security. Some security settings may affect device functionality or performance. You may want to test these settings before deploying them in your environment to ensure you understand their effects. Canon does not warrant that use of the information contained within this document will prevent malicious attacks, or prevent misuse of your imageRUNNER and imagePRESS devices. White Paper: Canon imageRUNNER/imagePRESS Security
Transcript
INTENT OF THIS DOCUMENT:
Canon recognizes the importance of information security and the challenges that yourorganization faces. This white paper provides information security facts for Canon imageRUNNER/imagePRESS series devices. It provides details on Canon’s security position for networked and stand-alone environments, as well as an overview of Canon’s device architecture, framework andproduct technologies as related to document and information security.
This white paper is primarily intended for administrative personnel responsible for the configuration and maintenance of Canon MFP devices. The information in this document, in conjunction with other best practices, may be used as guidance to help improve your organizationsoverall security. Some security settings may affect device functionality or performance. You maywant to test these settings before deploying them in your environment to ensure you understand their effects.
Canon does not warrant that use of the information contained within this document will preventmalicious attacks, or prevent misuse of your imageRUNNER and imagePRESS devices.
White Paper: Canon imageRUNNER/imagePRESS Security
White Paper: Canon imageRUNNER/imagePRESS Security2
“If you look at these machines as just copiers or printers, you first wonder if you really need security.Then you realize conventional office equipment now incorporates significant technology advances andcapabilities that make all documents an integrated part of a corporate network that also involves theIntranet and Internet. Government agencies, corporations and non-profits are increasinglytransitioning from traditional stand-alone machines to devices that integrate these functions and linkthem to corporate networks, raising a whole new era of information management and security issues.
Our development of features within the Canon imageRUNNER and imagePRESS product portfolios aredesigned to help prevent data loss, help protect against unwanted device infiltration and help keepinformation from being compromised.”
—Dennis Amorosano, Sr. DirectorSoftware Product Marketing, Solutions Business Development Division, Canon U.S.A., Inc.
As the marketplace has evolved, the technology associated with office equipment continues to develop at an ever increasing pace. Over the last several years alone, traditional office equipment hasleapfrogged in technology, expanding its functional capabilities, while at the same time becoming anintegral part of the corporate network and the Internet. As a result, a new level of security awarenesshas become imperative.
Canon’s attention to emerging market trends and details surrounding customer security requirementshas driven the development of features within the imageRUNNER/imagePRESS product portfoliodesigned to thwart data loss and the potential threats posed by hackers.
4 White Paper: Canon imageRUNNER/imagePRESS Security
1.1 — Security Market Overview
In today’s digital world, risks to networks and devices come in more forms and from more directionsthan ever before. From identity theft and intellectual property loss to infection by viruses and trojanhorses, IT administrators today find themselves playing an additional role of security officer to adequately protect information and assets from threats from the outside as well as within.
Nearly every day destructive threats emerge and undiscovered vulnerabilities are exposed, provingthat you can never be too secure. IT administrators need a holistic security strategy that can beapplied at every level of the organization — from servers, desktops and devices such as MFPs, to thenetworks that connect them all.
As if the risks to computers, networks and devices weren’t difficult enough to address, increased governmental regulations add an additional layer of strict compliance standards that must be met.Legislation such as Sarbanes-Oxley Act (SOX), Gramm-Leach-Bliley Act (GLB), Health InsurancePortability and Accountability Act (HIPAA) and Family Education Rights Privacy Act (FERPA) all requirethat IT administrators ensure the security, privacy, accuracy and reliability of information receives theutmost attention.
1.2 — Imaging & Printing Security Overview
Today’s multifunction devices share many similarities with general purpose PCs. They contain manyof the same components like CPUs, memory and hard disks; and some even use mainstream operating systems like Windows or Linux. Like any other device on the network, sensitive informationmay be passed through these units and stored in the device’s hard disk and memory. Yet at manycompanies multifunction devices are not given the same attention concerning information security.
The Canon imageRUNNER/imagePRESS Security White Paper has been designed to provide detailedinformation on how the imageRUNNER and imagePRESS series of devices can address a wide varietyof security concerns. imageRUNNER and imagePRESS devices offer many standard securitycapabilities, as well as a number of advanced security options that may be added for a higher level ofconfidentiality, integrity and availability of your mission critical information.
Canon recognizes the vital need to help prevent data loss, protect against unwanted device use, andmitigate the risk of information being compromised. As a result, all imageRUNNER/imagePRESSdevices include many standard security features to help safeguard information.
Canon imageRUNNER security capabilities fall into three key areas:
imageRUNNER/imagePRESS Controller SecurityAt the heart of every imageRUNNER/imagePRESS device is the Canon imagePlatform controller. Thecontroller runs a proprietary operating system that is not widely available or distributed, and hasbeen expressly designed to run embedded applications developed by Canon. Because of itsuniqueness and hardened implementation, the operating system is not a common target for virusesor hackers.
User Authentication ModesCanon imageRUNNER/imagePRESS devices include a number of authentication options which administrators can use to ensure that only approved walk-up users can access the device and itsfunctions, such as copy, scan and Universal Send features. Beyond limiting access to only authorizedusers, authentication also provides the ability to control usage of color and black and white output,and total print counts by department or user.
The user authentication methods that imageRUNNER/imagePRESS devices support include:
• Department ID• Simple Device Login (SDL)• Single Sign On (SSO)
Department ID ModeAn embedded feature within the imageRUNNER/imagePRESS devices, the Department IDManagement mode permits administrators to control device access. If Department ID authentication is enabled, end users are required to enter a password before they are able toaccess the device.
Each Department ID can be configured with device function limitations, such as the maximumnumber of copies, copy and Mail Box allocation parameters, size of Mail Box and facsimileaccess. The total number of Department IDs that can be defined on each device depends onthe specific imageRUNNER/imagePRESS model. Customers can also add an optional card reader unit to enhance security by providing authorized users with control cards to access themachine.
Mail Box, Send (if applicable), and Scan functions can each be turned “On” or “Off” from theLimit Functions screen located under Department ID Management. Copy mode, is automaticallydisabled when the Department ID Management function is turned “On”. Once a mode hasbeen turned “On” (deeming it password-protected), the tab for that mode will be grayed-outon the LCD panel.
6 White Paper: Canon imageRUNNER/imagePRESS Security
Simple Device Login (SDL)Simple Device Login is a MEAP login service that can be used stand-alone with the device. Userdata is registered in the device’s memory using a web browser.
The SDL login service provides the following functions:
• Displays a login screen on the touch panel display of the device, and performs userauthentication
• Displays a login page when the device is accessed from a web browser, and performsauthentication
• Enables you to limit and keep track of the print/scan totals for department IP, by linkingto the department ID Management functions of the device
The SDL login service can be configured using the MEAP Service Management Service.
To enable the SDL login Service, open a web browser and enter the URLhttp://<imageRUNNER IP Address or host name>:8000/sms. On the login page type thepassword. Click on the System Management tab. Click on the Enhanced Sys. App tab.Underlogin service select “Simple Device Login.” Click the select button. Reboot the device.
Single Sign On LoginSingle Sign On (SSO) is a MEAP login service that can be used in conjunction with an ActiveDirectory (AD) network environment. SSO supports the following modes:
• Local Device Authentication• Domain Authentication – in this mode, user authentication can be linked to an Active
Directory environment on the network• Domain authentication + local device authentication
When used in Domain Authentication mode, a user must successfully authenticate using validWindows AD credentials prior to gaining access the any of the MFP device functions.
SSO ships standard with MEAP capable imageRUNNER and imagePRESS devices and can support up to 200 domains. The latest device models ship with a version of SSO called SSO-H,which supports direct authentication against AD using Kerberos or NTLMv2 as the authentication protocol. In local device authentication, SSO-H can support up to 5,000 users.
Earlier MEAP devices support a version of SSO that utilizes a Security Agent (SA) to accomplishauthentication against AD. The SA is a small Windows application which can be run on any PCsystem that is a member of the same Windows domain. This earlier version of SSO onlysupports NTLMv2 as the authentication protocol and can support up to 1,000 users.
To enable the SSO login Service, open a web browser and enter the URL http://<imageRUNNERIP Address or host name>:8000/sms. On the login page type the password. Click on theSystem Management tab. Click on the Enhanced Sys. App tab. Under login service select“Single Sign-On.” Click the Select button. Reboot the device
Advanced Access Control*Canon imageRUNNER/imagePRESS devices support a number of advanced access controloptions to help you manage their use and restrict unauthorized users. These options provide arange of features to help manage Authentication, Authorization, and Auditing.
Authentication options include support for proximity cards, PIN codes as well as smart cards.In the area of Authorization, Canon offers solutions that can lock down the entire device, orsimply lock down specific functions (ex. Send-to-Email), while leaving other applicationsavailable for general use. These solutions can log activity like copying, printing, faxing, scanning, and email, to provide you with the Auditing information you need to track usagedown to the individual user level.
With the power and flexibility of MEAP, many of these authentication solutions can be customized to meet your specific requirements.
Control Cards/Card Reader System*
Canon imageRUNNER/imagePRESS devices offer support for an optional Control Card/CardReader system for device access and to manage usage. The Control Card/Card Reader Systemoption requires the use of intelligent cards that must be inserted in the system before grantingaccess to functions, which automates the process of Department ID authentication. The optional Control Card/Card Reader system manages populations of up to 300 departments orusers.
Password-Protected System SettingsAs a standard feature, imageRUNNER/imagePRESS device setup screens support password protection to restrict device setting changes from the control panel and Remote UI tool. When adevice administrator uses the System Settings menu, they can set network information, system configuration, enable, and disable network and printing protocols among many other options. Canonhighly recommends setting an administrator password at time of installation since it controls criticaldevice settings.
System Manager Screen Store ID and Password Screen
*Not available on all imageRUNNER/imagePRESS models.
8 White Paper: Canon imageRUNNER/imagePRESS Security
Mail Box Password ProtectionEach imageRUNNER/imagePRESS product ships standard with support for up to 100 Mail Boxes for storage of scanned and printeddata. Mail Box security is provided by the ability to designate a uniquepasswords for access.
HDD and RAM Data ProtectionCanon imageRUNNER/imagePRESS devices, like many other multifunction devices, use a combination of Random AccessMemory (RAM) and an internal Hard Disk Drive (HDD) for short-term and long-term data storage when handling system functions like copying, printing, and faxing. The internal HDD, as used by theimagePlatform controller, is formatted with two partitions — Partition Aand Partition B.
Partition A, which is used to store spooled print jobs, is formatted with a FAT16-like file system that isnot accessible from DOS/Windows. The print jobs stored on Partition A are automatically deleted atthe following points:
• After they are rendered to image files in memory• When a device has not successfully received a job• When a job is canceled by a user’s operation• When the machine’s power is turned on, if any files remain
Partition B is formatted with a Canon proprietary file system, which is not compatible with anycommonly used file system. All image data is written to Partition B in random and non-contiguousportions of the hard disk drive, making it difficult to meaningfully analyze or reassemble data.
To properly recompile this randomly written data, it is necessary to store the location and sequence of all data written to the HDD. The imagePlatform controller accomplishes this by creating a FileAllocation Table (FAT) that stores all appropriate data locations and sequence on the HDD. Upon finishing a specific job, whether it is printing, copying, or faxing, the system automatically erases theFAT. As a result, all information required to recompile data in the image server is lost.
Although the reference to deleted files has been removed from the FAT, the actual data may remain onthe HDD or RAM until overwritten by subsequent jobs. As a result data could still be compromised,although doing so would be extremely difficult.
For customers who may be concerned about residual data on hard drives, Canon recommends the useof the optional HDD Data Erase Kit.
MEAP SecurityCanon actively collaborates with leading third-party software companies to develop extensible solutions for the imageRUNNER/imagePRESS devices, known as MEAP applications. Each MEAPenabled device includes a number of safeguards to ensure the security and integrity of informationstored on the device.
Access to the Software Development Kit for MEAP is tightly restricted and controlled through licensing. Once an application has been developed, it is thoroughly reviewed by Canon to ensure thatit meets strict guidelines for operability and security. Following the review, the application’s integrityis guaranteed by Canon and is digitally signed with a special encrypted signature and license for protection purposes. If the application is modified in any way, the signature code will not match andthe application will not be permitted to run on the device. These safety measures make it virtuallyimpossible for an altered or rogue MEAP application to be executed on an imageRUNNER/imagePRESSdevice.
Network and Print Security (Canon Network Printer Kit Only)Canon imageRUNNER/imagePRESS devices include a number of highly configurable network securityfeatures that assist in securing information when the optional Network Print Kit is installed. Standardnetwork security features include the ability to permit only authorized users and groups to access andprint to the device, limiting device communications to designated IP/MAC addresses, and controllingthe availability of individual network protocols and ports as desired.
Enabling/Disabling Protocols/ApplicationsThrough Canon’s device setup and installation utilities, network administrators are providedwith the ability to configure the specific device protocols and service ports that are accessible.As a result, unwanted device communication and system access via specific transportprotocols can be effectively blocked.
The imageRUNNER/imagePRESS devices have the ability to disable unused TCP/IP ports to further secure the devices. Disabling ports affects the available functions and applications onthe device. Configurable ports include:
* Used ports and default port settings may vary per model. Please consult your device manuals or contact your service technician for additional details.
Disabling this protocol will cause Printingover IPP protocol to stop.
HTTP TCP 8000 World Wide Web HTTP for MEAPSystem Settings>MEAP Settings>
Set [Use HTTP] to [On]
Disabling this feature disables access toMEAP SMS Page and other MEAP
applications such as iWAM for MEAP
RAW TCP 9100 Standard TCP/IP Printer (RAW)In the printer properties dialog box,click [Configure Port] >select [LPR] or
[Raw].
Disabling this feature causes Printing overStd TCP/IP protocol to stop
SNMP UDP 161Simple Network Management
Protocol
System Settings>NetworkSettings>TCP/IP
Settings> [SNTP Settings]> [On] for[Use SNTP]
Disabling this feature will result inimageRUNNER devices not being
discovered by device managementutilities such as iWEMC or Netspot
Device Installer
10 White Paper: Canon imageRUNNER/imagePRESS Security
IP Address Range SettingsUsing the RX/Print Settings function, the System Manager can limitnetwork access to the device to specific IP addresses or ranges for printing.Up to eight individual or consecutive address settings can be specified.Subsequently, the System Manager can also choose to permit a range ofaddresses, but reject specific addresses within that range.
Unless an address has been restricted by the RX/Print Settings function,the Setting/Browsing Range feature will permit all users to print from theirPCs. However, this setting can also alter whetherspecific users can useRemote UI functionality or not. To block access to the Remote UI utility,System Managers simply need to go to Network Settings�� TCP/IPSettings�� IP Address Range Settings�� Setting/Browsing Range andenter in the IP address of the devices they wish to block. Like the RX/PrintSettings, the System Manager can set a total of eight settings of eitherindividual addresses or ranges.
Media Access Control (MAC) FilteringMAC address filtering is useful for smaller networks where administrators can manage controls forspecific systems, regardless of the subnet to which they happen to be connected. For environments using Dynamic Host Configuration Protocol (DHCP) for IP address assignments, MACaddress filtering can avoid issues that are caused when DHCP leases expire and a new IP addressis issued to a system. As with IP address filters, MAC address filters can be used to allow or denyaccess to specific addresses. Up to 100 MAC addresses can be registered and easily added, edited,or deleted through the Remote UI interface. MAC address filters take a higher priority than the IPaddress filters; so necessary systems can be allowed or denied, even if the system’s IP addresswould dictate otherwise.
IPv6 SupportIPv6 support is available in all newly released imageRUNNER/imagePRESS models, and availablethrough a firmware upgrade for some older devices. IPv6 provides a more secure networkinfrastructure, improved traffic routing and easier management for administrators than IPv4. TheUnited States Department of Defense (DOD) has established the goal of transitioning all their networked devices to the next generation of IPv6 by Fiscal Year 2008. Other agenciesgovernment-wide are beginning to move towards this trend and require IPv6 for all networkeddevices.
IPsec Support*The latest imageRUNNER/imagePRESS devices support an optional IPSec Board, which allowsusers to utilize IPSec (Internet Protocol Security) to ensure the privacy and security of informationsent to and from the device, while in transit over unsecured networks.
IPSec is a suite of protocols for securing IP communications. IPSec supports secure exchange ofpackets at the IP layer, where the packets in the data stream are authenticated and encrypted. It encrypts traffic so that the traffic cannot be read by parties other than those for whom it isintended, it also ensures that the traffic has not been modified along its path and is from a trustedparty, and protects against replay of the secure session. The IPSec functionality of the device onlysupports transport mode, therefore authentication and encryption is only applied to the data partof the IP packets.
OOnnccee yyoouu iinnssttaallll tthhee ooppttiioonnaall IIPPSSeecc BBooaarrdd ttoo tthhee ddeevviiccee,, yyoouu ccaann uussee IIPPSSeecc ccoommmmuunniiccaattiioonnss bbyyggooiinngg ttoo NNeettwwoorrkk SSeettttiinnggss �� TTCCPP//IIPP SSeettttiinnggss �� IIPPSSeecc SSeettttiinnggss aanndd sseett <<UUssee IIPPSSeecc>> ttoo [[OOnn]].. ([IPSecSettings] is only displayed on the TCP/IP Settings screen if the optional IPSec Board is installed onthe device). See the imageRUNNER/imagePRESS manual for the specific device in question foradditional instructions on registering IPSec-based security policies.
At least one of the following methods must be set for the device. You cannot set both methodsat the same time.
• AH (Authentication Header) A protocol for certifying authentication by detecting modifications to the communicateddata, including the IP header. The communicated data is not encrypted.
• ESP (Encapsulating Security Payload) A protocol that provides confidentiality via encryption while certifying the integrity andauthentication of only the payload part of communicated data.
Key Exchange Protocol:
Supports IKEv1 (Internet Key Exchange version 1) for exchanging keys based on ISAKMP(Internet Security Association and Key Management Protocol). IKE includes two phases; inphase 1 the SA used for IKE (IKE SA) is created, and in phase 2 the SA used for IPSec (IPSec SA)is created.
To set authentication with the pre-shared key method, it is necessary to decide upon a pre-shared key in advance, which is a keyword (24 characters or less) used for both devices tosend and receive data. Use the control panel of the device to set the same pre-shared key asthe destination to perform IPSec communications with, and perform authentication with thepre-shared key method.
To select authentication with the digital signature method, it is necessary to install a key pairfile and CA certificate file created on a PC in advance using the Remote UI, and then registerthe installed files using the control panel of the device. Authentication is conducted with thedestinations for IPSec communication using the CA certificate.
The types of key pair and CA certificate that can be used for authentication with the digital sig-nature method are indicated below.
• RSA algorithm• X.509 certificate• PKCS#12 format key pair
Wireless LANThe latest imageRUNNER devices can also support wireless networking through the installationof an optional Wireless LAN Board.
The Wireless LAN Board is IPv6 compliant and supports the latest wireless traffic encryptionstandards, including WEP, WPA and WPA2, in addition to support the IEEE802.1Xauthentication standard.
The Wireless LAN Board and the standard network interface of imageRUNNER devices cannotbe used simultaneously, eliminating the possibility of maliciously using the device as a routeror bridge to inter-connect two networks. Network communication functionality is automaticallydisabled for the standard network interface when the Wireless LAN Board is enabled.
White Paper: Canon imageRUNNER/imagePRESS Security
IEEE 802.1XThe latest imageRUNNER/imagePRESS devices support IEEE 802.1x, which is a standard protocol for port-based Network Access Control and it provides authentication to devicesattached to a LAN port. It establishes a point-to-point connection or prevents access from thatport if authentication fails.
It attaches the Extensible Authentication Protocol (EAP) to both wired and wireless LAN networks for allowing multiple authentication methods like cards and one-time passwords.
IEEE 802.1X functionality is already supported by many Ethernet switches, and can preventguest, rogue, or unmanaged computers that cannot perform a successful authentication fromconnecting to your network.
IEEE 802.1x addresses the following IEEE 802.11 security issues:• User Identification & Strong authentication• Dynamic key derivation• Mutual authentication• Per-packet authentication• Dictionary attack precautions
Printer Driver Security Features
Secured Print/Encrypted Secured PrintEncrypted Secured Print and Secured Print are authenticated print functions that hold a job inqueue until the user enters the appropriate password at the device. This ensures that the useris in close proximity before the document is printed and minimizes unattended papers left atthe device. The imageRUNNER/imagePRESS device requires the user to set a password in theprint driver window when sending a print job from a connected PC. The same password is alsorequired for releasing the job at the device. When using the optional Encrypted Secured Printsoftware, security is further enhanced by using strong encryption to protect Secure Print jobdata while in transit across the network. On imageRUNNER/imagePRESS Series devicesequipped with the optional encrypted secured print, administrators can use the print jobrestriction feature to permit only encrypted secured print jobs at the designatedimageRUNNER/imagePRESS device.
AAddmmiinniissttrraattoorrss ccaann ffoorrccee aallll uusseerrss ttoo uuttiilliizzee eennccrryypptteedd sseeccuurreedd pprriinntt** uussiinngg tthhee ffoolllloowwiinngg sseettttiinnggss:: PPrreessss AAddddiittiioonnaall FFuunnccttiioonnss �� SSyysstteemm SSeettttiinnggss �� OOnnllyy AAllllooww EEnnccrryypptteedd SSeeccuurreeddPPrriinntt JJoobbss �� SSeett ttoo [[OOnn]].. A job will be canceled and an error message displayed if a print jobother than an encrypted secured print job is received. (The default setting is [Off].)
12
Secure Print Screen from the Printer Driver Print Job Status Screen
Print Job AccountingA standard feature in Canon’s printer drivers, print job accountingrequires users to enter an administrator-defined password prior toprinting, thereby restricting device access to those authorized toprint.
Mail Box PrintingAnother secure document delivery feature, Mail Box printing allows users to send a job to theirindividual Mail Box. Once stored in the Mail Box (if the Mail Box is password protected), a usermust enter their password to retrieve documents. On newer imageRUNNER/imagePRESSdevices, administrators can use the Print Job Restriction feature to restrict direct printing froma desktop to the Color imageRUNNER/imagePRESS Series. This forces all print jobs to bestored in a Mail Box or in the Hold Queue before printing can be performed by users.
AAddmmiinniissttrraattoorrss ccaann ffoorrccee aallll uusseerrss ttoo uuttiilliizzee MMaaiill BBooxx pprriinnttiinngg uussiinngg tthhee ffoolllloowwiinngg sseettttiinnggss::PPrreessss AAddddiittiioonnaall FFuunnccttiioonnss �� SSyysstteemm SSeettttiinnggss �� RReessttrriicctt PPrriinntteerr JJoobbss �� SSeett ttoo [[OOnn]] ((TThheeddeeffaauulltt sseettttiinngg iiss [[OOffff]])).. A job will be canceled and an error message displayed if a print jobother than a store to user inbox print job is selected as the output method.
Mail Box Store Destination Screen Mail Box Set/Store Password Screen
Universal Send SecurityFor Universal Send enabled devices, information found in the Send screen may be considered confidential and sensitive to certain users. For these devices, there are additional security features toprevent confidential information from being released. All new imagePlatform based devices have aSystem Settings button that can be protected by a System Manager ID and System Password to prohibit anyone other than the System Manager from changing device settings.
The Universal Send Security Feature Set enables you to encrypt PDF files and set a password to sendPDF files safely to a file server or e-mail address. It also enables the recipient of the PDF or XPS filesto verify which device scanned it.
Encrypted PDF:
The Encrypted PDF mode enables you to encrypt PDF files that you send to an e-mail address or fileserver for enhanced security. Only users who enter the correct password can open, print, or changethe received PDF.
Device Signature PDF or Device Signature XPS*:
The Device Signature PDF or the Device Signature XPS mode uses the device signature certificate andkey pair inside the machine to add a digital signature to the document, which enables the recipient toverify which device scanned it.
User Signature PDF or User Signature XPS:
If the optional Digital User Signature PDF kit is activated, users can install a digital signature thatembeds their name and email address to confirm their identity as the source of the document andnotification if changes have been made. In order to use Digital User Signature Mode, SDL or SSOauthentication must be enabled and a valid certificate installed on the device.
Address Book PasswordAdministrative and individual passwords can be set for Address BookManagement functions. A system administrator can define the specificAddress Book data that can be viewed by users, effectively maskingprivate details. This password may be set separately from the SystemSettings user name and password, so individuals other than theSystem Manager can administer the Address Book.
By setting a password for an Address Book, the ability to Store, Edit, orErase individual and group e-mail addresses in the book is restricted.Therefore, only individuals with the correct password for an AddressBook will be able to make modifications. System Managers can set thepassword in Additional Functions� System Settings� Restrict theSend Function � Address book Password. A maximum number ofseven digits may be set as the password.
This same password is also used for the Address Book Import/Exportfunction through the Remote UI utility.
14 White Paper: Canon imageRUNNER/imagePRESS Security
* Not available on all imageRUNNER/imagePRESS models.
Access Code for Address BookEnd-users will also have the capacity to place an access number codeon addresses in the Address Book. When registering an address in theAdditional Functions section, users can then enter an Access Numberto restrict the display of that address in the book. This function limitsthe display and use of an address in the Address Book to those userswho have the correct code. The Access Number can be turned on or off,depending on the level of security the end-user finds necessary. TThheeAAcccceessss NNuummbbeerr ccaann bbee sseett iinn AAddddiittiioonnaall FFuunnccttiioonnss �� SSyysstteemm SSeettttiinnggss�� RReessttrriicctt tthhee SSeenndd FFuunnccttiioonn ��AAcccceessss NNuummbbeerr MMaannaaggeemmeenntt..
Destination Restriction FunctionData transmission to a new destination with Universal Send can be limited through the use ofSystem Settings. This function prohibits transmissions to locations other than the destinationsregistered or permitted by the System Manager.
In addition to restricting all new destinations, administrators can also restrict the addition ofnew addresses for specific destination types that are available to users when sending documents with Universal Send. Permissions can be set to enable or disable the entry of newaddresses for the following:
• Entries in the Address Book• LDAP servers• User Inboxes• One-touch buttons• Favorites buttons• The user’s e-mail address (Send to Myself, if using SDL/SSO login)
SNMP Community StringCommunity Strings are like passwords for the management elements of network devices. There is acommunity string which is used for read-only access to a network element. The default value for thiscommunity string for most network devices is often "public". Using this community string an application can retrieve data from the imageRUNNER/imagePRESS Management Information Base(MIB) elements. There is also a read-write community string, and its default value is usually“private.” Using the read-write community string, an application can actually change values for MIBvariables.
imageRUNNER/imagePRESS devices use “private” and “public” as the default SNMP communitystrings, but these may be renamed to a user-defined value for increased security.
USB BlockUSB Block allows the System Administrator to help protect the imageRUNNER/imagePRESS device against unauthorized access through the built-in USB interface. Access to the imageRUNNER/imagePRESSthrough the USB interface for desktop access and the device’s host mode for other USB devices can eachbe permitted or disabled.
Virus Concerns for Email ReceptionFor those imageRUNNER / imagePRESS devices with Universal Send capabilities, if an e-mail with anattached data virus is received, the imageRUNNER/imagePRESS will always discard the virus upon receipt.
Universal Send-enabled devices support POP3 and SMTP as e-mail reception protocols. When data isreceived, the e-mail text is separated from any file attachments, and only TIFF image files among theattached files are printed and transferred.
There are three possible scenarios that are explored:
11.. DDaattaa wwiitthh aa vviirruuss aattttaacchheedd iinn tthhee ee--mmaaiill::All file attachments except for ‘TIFF” files received in the e-mail are discarded immediately after reception.
22.. VViirruusseess pprreetteennddiinngg ttoo bbee TTIIFFFF ffiilleess::TIFF image files are compressed with formats such as MH, MR, and MMR. The imageRUNNER/imagePRESS device compresses the ‘TIFF’ format at reception and after regenerating the image encodes the image again. When processed correctly, the original imageis discarded and a new image is created, printed, and transferred. If an error occurs during theprocess, the data from the ‘TIFF’ file is not transferred but is discarded, and a message notifyingthe user of the error is added to the e-mail text and is printed.
33.. TTeexxtt wwiitthhiinn ee--mmaaiill iiss aa vviirruuss::E-mail text data gives the Date, From, Message-Id, To, or Subject data written at the top of thereceived e-mail for printing and transfer. The e-mail text data is comprised of character strings(function calls such as fgets() or fprintf()). If binary data such as data with a virus is used in the e-mail text, the data will be damaged and data with a virus will be discarded. Even if the datawith a virus is visible data with a script format, it is not possible to recognize it as a scriptbecause Date, From, Message-Id, To, or Subject data is attached at the top.
Job Log Data ProtectionThe job history stored within the imageRUNNER/imagePRESS job log may be considered sensitive information by some users. The display of the job log data can be turned ON/OFF. The default of the joblog data display is ON.
16 White Paper: Canon imageRUNNER/imagePRESS Security
Fax Security*Canon imageRUNNER devices that support Super G3 fax capabilities with the optional Super G3 FaxBoard installed can be connected to the Public Switched Telephone Network for sending and receivingof fax data. In order to maintain the security of customer’s networks in relation to this potentialinterface, Canon has designed its Super G3 Fax Boards in the following manner:
• There is no functional module such as a Remote Access Service that enables communicationbetween a phone line and a network connection within the device.
• The Super G3 Fax Boards cannot receive data files, but are only capable of receiving anddecoding facsimile transmissions. As a result, virus-laden files sent to an imagePlatformdevice via its phone line connection cannot be processed.
• The modem on the Super G3 Fax Boards does not have Data Modem capability, but only FaxModem capability. As a result, TCP/IP communication through the phone line is impossible.Even if the device receives a data file pretending to be a FAX image data but contains a virus,the received data must be decoded first. While trying to decode the virus the phone line willbe disconnected with a decode error and the received data will be discarded.
• Although a received fax document can be accessed from the network through theConfidential Fax Mail Box function inherent in the device, or automatically forwarded to a network it is not possible to breach the network in either instance, as these capabilities areafforded following completion of facsimile communication. Since the data stored in theConfidential Fax Mail Box is in fax format, there is no threat of virus infection.
• The PC Fax function can fax documents from the PC via Network, using a Fax driver that runson the PC. However, data transfer from the PC via Network to the device and data transfer(FAX transmission) from the phone line via the G3 FAX board is structurally separated.
• Fax Polling is the only function that enables users to handle documents stored in a pollingbox. Any action associated with these documents stored in a polling box is performed usingG3 Fax protocols, which provide no means of accessing a local network.
*imagePRESS devices do not support fax functionality.
Canon provides a number of tools to help organizations enforce their internal company policies andmeet regulatory requirements. Whether a single imageRUNNER/imagePRESS device is deployed, or afleet of imageRUNNER/imagePRESS devices, the imageWARE Accounting Manager and AccessManagement System software options provide the ability to audit usage and limit access to featuresand functions enterprise-wide — at the group and user-level.
Canon imageWARE Accounting Manager*Canon imageWARE Accounting Manager provides enhanced audit tracking capabilities to theend-user environment. In addition to tracking usage by Department ID or SDL, imageWAREAccounting Manager in conjunction with SSO will provide the ability to track usage per individual user.
Canon imageWARE Accounting Manager provides the capability to:
• Track copy, scan, send & fax jobs. • Track by paper type, single and double-sided output or N-Up output• Track by device• Track by Individual, group or department• Track by black-and-white or color copy/print jobs• Multi-tiered billing codes for charge back purposes• Analyze department/device workload• Enforce usage limits• Export reports• Input billing codes from the device control panel through MEAP application
Canon imageWARE Accounting Manager uses the Department ID of authenticated users tomanage and track usage. When SSO authentication is used, administrators can map the usercredentials to the respective Active Directory account for tracking.
*Canon imageWARE Accounting Manager is supported by all imageRUNNER devices and the imagePRESS-C1 model only.
18 White Paper: Canon imageRUNNER/imagePRESS Security
Access Management System Kit*The Access Management System Kit can be used to tightly control access to device functionality.Restrictions can be assigned to users and groups, to restrict entire functions or restrict specificfeatures within a function. Access restrictions are managed in units called “roles”. Roles containinformation that determines which of the various functions of the device may be used or not.
Roles can be set up based on individual user’s job title or responsibilities or by group, enabling theadministrator to create roles specific to certain departments or workgroups. Since the administratoris not limited to restricting all or none of a particular function, the roles can be as specific as isrequired for a number of business needs. Beyond the Base roles which contain default accessrestrictions, up to 100 new Custom roles can be registered for up to 5,000 users. The administratorcan also define whether to allow unregistered users to log in as guests and then specify settings forguest user’s roles.
The following describes the various base access levels (roles) that are available:
*Canon Access Management System is supported by all imageRUNNER Devices and the imagePRESS-C1 only.
Access Privileges by Access Level
Access Level Access privileges
Administrators Given privileges to operate all device functions
Power UsersGiven privileges to operate device functions in user mode and their jobs
Generic UsersGiven privileges to operate device functions in user mode except for Address Book and their jobs
Limited Users Given privileges to operate their jobs only
GuestDisallowed to modify device settings and denied access to the send, web access, and MEAP functions
The following functions and features can be restricted:
Access Management System Realtime WorkflowWhen the Access Management System has been enabled, users must log in to the device usingSDL/SSO user authentication. Access Management System supports authentication throughActive Directory using SSO-H, which includes support for Kerberos Authentication. Once a userlogs into the device with their user name and password, the device can determine which rolesare assigned to that particular user. Restrictions are applied based on the assigned roles. If anentire function is restricted, the tab will not appear on the control panel for that particular useror group.
Device Function Values Description
Print Allowed, Not Allowed Allows or prohibits using applicationsrelated to the Print function.
Copy Allowed, Not Allowed Allows or prohibits using applicationsrelated to the Copy function.
Send Allowed, Not Allowed Allows or prohibits using applicationsrelated to the Send function. (Including theFax function).
Mail Box Allowed, Not Allowed Allows or prohibits using applicationsrelated to the Mail Box function. (Including Job Hold function).
Web Access Allowed, Not Allowed Allows or prohibits using applicationrelated to the Web Access function.
Utility Allowed, Not Allowed Allows or prohibits using applicationsrelated to Utilities.
MEAP Applications Allowed, Not Allowed Allows or prohibits the use of MEAP applications.
Others Allowed, Not Allowed Allows or prohibits using other applications.
20 White Paper: Canon imageRUNNER/imagePRESS Security
In addition to the wide variety of device and network security features that are standard onimagePlatform-based devices, Canon offers advanced security options to assist companies in meeting their internal privacy goals and address strict regulation guidelines.
Developed in accordance with extended security requirements of key customers and U.S. governmentagencies, Canon offers advanced security features that include:
• Canon Advanced imageRUNNER Security Solutions- HDD Data Encryption- HDD Data Erase- Job Log Conceal
• Other Optional Advanced Security Features- HDD Format- Removable HDD
HDD Data Encryption KitThe HDD Data Encryption Kit option ensures that all data stored on the internal disk drive is protectedusing industry-standard algorithms. The HDD Data Encryption Kit is a dedicated plug-in board thatencrypts every byte of data before it is committed to the disk using 256-bit AES (Advanced EncryptionStandard) or 168-bit 3DES (Triple Data Encryption Standard) algorithms, depending on the devicemodel.
Encryption on the hard drive is achieved through a multi-step process to mitigate the risk ofunauthorized disclosure. First, the imageRUNNER/imagePRESS device uses mathematicalalgorithms to scramble bits of data. The data is then encrypted using a secret key created in the imageRUNNER/imagePRESS device before it is written to the internal disk drive, providing protectionfor both temporary and permanent data such as documents stored in Mail Boxes. Finally, the data isstored in random, non-contiguous locations on the imageRUNNER/imagePRESS device’s hard drive tomake the intelligible reconstruction of files infeasible in the event the disk is removed.
Canon’s HDD Data Encryption Kit for imageRUNNER/imagePRESS devices have received CommonCriteria Certification of Evaluation Assurance Level 3 (EAL3).
Please refer to the Addendum for information on the optional HDD Data Encryption Kit available foreach imageRUNNER/imagePRESS device.
HDD Data Erase KitThrough the use of the optional HDD Data Erase Kit, security conscious customers can configure theirimageRUNNER/imagePRESS systems to overwrite the internal image server hard disk, erasing previous data stored as part of routine job processing. The HDD Data Erase Kit offersadministrative options that allow the system administrators to configure the level of overwrite protection.
The following are supported methods of hard drive data erase. Configuration of this setting is madein service mode, by an Authorized Canon Service Technician.
A disk overwrite can also be forced by the device administrator through the System Settings option.From Additional function screen, the administrator can select [On] or [Off] for Hard Disk DataComplete Erase. TThhee sseettttiinnggss ccaann bbee mmaaddee uunnddeerr AAddddiittiioonnaall FFuunnccttiioonnss �� SSyysstteemm SSeettttiinnggss �� HHaarrddDDiisskk DDaattaa EErraassee.. If [On] is selected, data from the hard disk will be erased completely. If [Off] isselected the data will not be completely erased. The default setting is [Off].
Please refer to the Addendum for information on the optional HDD Data Erase Kit available for eachimageRUNNER/imagePRESS device.
Timing of OverwriteThe timing of the delete is sensitive to what mode and finishing options are set at the time ofprint out. Generally, if a jam or other unexpected abnormal end to operation occurs on thedevice, page data will be stored until the job can be completed and then overwritten on thehard disk drive.
Please see below for examples of what occurs on the device in certain job modes using a jobconsisting of three sets of three originals.
1. Copy/Print Mode:
a. Group SortWhen a user programs a job to be sorted into group sets with no finishingspecified, the page data would be overwritten every time a ‘set’ is complete.
b. Collate SortWhen a user programs a job to be sorted into collated sets with no finishing specified, the page data would be overwritten as each page of the last set isprinted out.
Number ofOverwrites
Values Description
0 OFF Do not erase (default Setting)
1 ON Cleared once with NULL data (Clear with “0”)
2 ON Cleared once with random data
3 ON Cleared three times with random data
Section 3 — Advanced Security Features
22 White Paper: Canon imageRUNNER/imagePRESS Security
c. Staple SortWhen a user programs a job to be sorted into stapled sets, the page data willbe overwritten page-by-page after all of the stapled sets finish printing.
d. Remote/Cascade CopyWhen a user programs a remote or cascade copy job, depending on the settings chosen, page data will either immediately be overwritten page-by-page or the page data will be overwritten page-by-page after the entire job has finished.
2. Mail Box Print
a. Mail Box Print
When a user prints a job stored in the Mail Box, all pages will be overwrittenimmediately after the entire job has printed out.
a. Send/Scan dataWhen a user sends or scans a job to another destination, all page data willbe deleted or overwritten immediately after the entire job has been sent.
b. Fax/I-Fax DataWhen the “Fax Activity Report” function is set to ‘On’, the data will be overwritten immediately after the device receives confirmation of a successful transmission. If the failed transmission occurs, the data willremain while the device retries. If the “Fax Activity Report” is set to “off”all data will be deleted at once.
Performance Impact Using the HDD Erase KitIt is important to note that the HDD Erase Kit settings can affect overall performance of thedevice depending on what types of jobs are being submitted to the device, and the selectedlevel of overwrite protection. If many large jobs are sent to the device with the ‘Overwrite ThreeTimes’ option selected, then delays although minimal, should be expected for devices withspeeds over 50 images per minute (ipm). For devices with speeds lower than 50 ipm, HDDErase Kit related settings will have no impact on performance.
Job Log Conceal Function*The Job Log Conceal function ensures that jobs processed through thedevice are not visible to a walk up user or through the Remote UI. TheJob Log information although concealed, is still accessible by theadministrator, who can print the Job Log to show copy, fax, print andscan usage on the device. TThhee aaddmmiinniissttrraattoorr ccaann sseelleecctt [[OOnn]] oorr [[OOffff]] ffoorrtthhee JJoobb LLoogg DDiissppllaayy uunnddeerr AAddddiittiioonnaall FFuunnccttiioonnss �� SSyysstteemm SSeettttiinnggss�� SSyysstteemm MMoonniittoorr SSccrreeeenn RReessttrriiccttiioonn �� JJoobb LLoogg DDiissppllaayy.. When [On] isselected, the job log is displayed. If Job Log Display is set to [Off], thefollowing features and settings will not be displayed on screen or activated:
• Copy, send, fax, and, print log from System Monitor
• Receive from system monitorSend Activity management report when equipped with Canon’soptional Universal Send Kit.
• Fax Activity management report
• Auto print is set to [Off] disabling the Daily Send & Fax ActivityReport
The default setting for Job Log Conceal is [Off].
*The Job Log Conceal feature is now standard on some newer imageRUNNER models, and available through a firmware upgrade for Color imageRUNNER C5180/C4580/C4080/C3380/C2880 and imageRUNNER 7105/7095/7086/5075/5065/5055 devices.
Section 3 — Advanced Security Features
Job Log Conceal Screen
24 White Paper: Canon imageRUNNER/imagePRESS Security
3.2 – Other Advanced Security Features
Standard HDD Format*Best practices, and often company policies, usually recommend that systems be completely wipedprior to being redeployed or at the end of its usable life. The Hard Disk Drive Format feature, which isstandard with all imageRUNNER/imagePRESS devices, completely overwrites all data stored on thehard disk with null data. This includes files, job logs, Address Books, and customized user mode settings, all in a single operation. If the optional HDD Erase Kit is installed, the HDD Format featureprovides additional overwrite options, including the choice to overwrite three times with randomdata.
Removable HDD**The imageRUNNER Removable HDD Kit option provides a means for system administrators to physically lock the device’s internal hard disk drive into the system during normal operation, therebydecreasing the risk of theft. Once the device has been powered down, the drive can be unlocked andremoved for storage in a secure location.
This section provides an overview of the security features on non-imagePlatform-basedimageRUNNER devices. Due to the difference in architecture from the imagePlatform, non-imagePlatform imageRUNNER devices deal with data differently across certain functions. Whereas theimagePlatform device uses the internal image server memory (RAM or HDD) for copying, printing, andfaxing (depending on the model), non-imagePlatform devices use their internal image server memoryonly for copy and printing functions.
Canon’s legacy GP200 Series product line, imageRUNNER 200L, and imageRUNNER 210 lack an imageserver, therefore the copy function does not store the information on the system. These systemsinstead make copies on a page-by-page basis, scanning each page based on the number of copiesrequested. As a result, no page data is stored on the system, which renders it impossible for anyoneto walk up to the device and get latent image information. When printing, these devices are unable tostore data on the device due to a lack of internal memory and jobs are printed immediately.
4.1 – Standard Device Security
Department ID Management***An embedded feature in non-imagePlatform devices, this function is used to set parameters for usersof the device and the device administrator can set controls that could limit users to a set number ofcopies, maximum Mail Box allocation and maximum limits for copy/Mail Box functions. As an option,customers can add a card reader unit to the device and control copy maximums based on the configuration of the device.
*Please see the imageRUNNER Bulletin #5.08- HDD Overwrite Procedures for End of imageRUNNER Lifecycle Procedures to learn more about this feature.
**Removable HDD Kit is only available for select imageRUNNER/imagePRESS devices.***Department ID Management limit function is only available on imagePlatform-based devices.
Section 3 — Advanced Security Features
Section 4 — Security Solutions in non-imagePlatform Devices
Restricting Device Setup Screens (displayed on the LCD panel User Interface)A standard feature, imageRUNNER device setup screens can be password protected, thereby ensuringthat administrative device settings are not changed without appropriate authority. When a deviceadministrator uses the System Settings menu, they can set network information, system configuration and enable and disable network and printing protocols among many other options.
Mail Box Password Protection*The imageRUNNER 550/600/60 and 330/400 product ships with up to 100 User Mail Boxes. TheseMail Boxes can be used for storage of scanned and printed data for integrating scanned and printeddata, or for up to three days document storage. Mail Box security is provided by the ability to designate unique passwords for access of individual device Mail Boxes.
4.2 – Network and Print Security
Print Job AccountingA standard feature in Canon’s printer drivers, print job accounting requires users to enter an administrator-defined password prior to printing, thereby restricting device access to those authorized to print.
Mail Box Printing**Another secure document delivery feature, Mail Box printing allows users to send a job to their individual Mail Box. Once stored in the Mail Box (if the Mail Box is password protected), a user mustenter their password to retrieve jobs previously stored.
4.3 – Memory Security
The majority of jobs processed by non-imagePlatform systems result in images being written to theimage server, hard disk drive and RAM, where it is compressed and randomly stored. The FAT (FileAllocation Table), which has all the allocation data of the job, is stored in a separate location of theimage server. When utilizing their internal image server, the data flow for the non-imagePlatformimageRUNNER products — whether it is RAM (iR330/400) or hard disk (iR550/600) — is directed inthe same manner as that of the imagePlatform-based imageRUNNERs.
4.4 – Fax Security
Fax functions on the imageRUNNER200L/210/330/400 will operate in a manner similar to thatdescribed under “Fax Security” in Section 2, page 17. Instead of storing page data in an image server,all fax data is stored in RAM on the imageRUNNER 200L/210/330/400 fax board. Other than this, the operation of fax is identical.
Please see Section 2 for more detailed information.
*The Multi-PDL Network printer board or the Network Printer Board needs to be installed in order to use the Mail Box feature. Mail Boxes are not available on GP series, imageRUNNER 200L, and imageRUNNER 210 models.
**Does not apply to the GP series, imageRUNNER 200L, and 210.
Section 4 — Security Solutions in non-imagePlatform Devices
26 White Paper: Canon imageRUNNER/imagePRESS Security
5.1 – Common Criteria
Beginning on July 1, 2002, the Department of Defense required a broad group of commercialhardware/software suppliers to have their products evaluated using a standard known as CommonCriteria to determine its fitness for the department’s use.
Following the development of the Common Criteria, the National Institute of Standards andTechnology and the National Security Agency, in cooperation and collaboration with the U.S. StateDepartment, worked closely with their partners in the CC Project to produce a mutual recognitionarrangement for IT security evaluations that use the Common Criteria. The Arrangement is officiallyknown as the Arrangement on the Mutual Recognition of Common Criteria Certificates in the field of ITSecurity. It states that each participant will recognize evaluations performed using the CommonCriteria evaluation methodology where product certificates have been issued by the MutuallyRecognized producing nations for EAL1-EAL4 evaluations. Evaluation Assurance components found inEAL5-EAL7 are not part of the mutual recognition arrangement.
The list of Common Criteria Recognition Arrangement members currently includes Australia, Austria,Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, India, Israel, Italy,Japan, Republic of Korea, Netherlands, New Zealand, Norway, Singapore, Spain, Sweden, Turkey,United Kingdom and United States.
5.2 – Common Criteria Certification
The Common Criteria for Information Technology Security Evaluation (CC), ISO/IEC 15408 Standard,defines general concepts and principles of IT security evaluation and presents a general model ofevaluation. It presents constructs for expressing IT security objectives, for selecting and defining ITsecurity requirements, and for writing high-level specifications for products and systems. It specifiesinformation security functional requirements and seven predefined assurance packages, known asEvaluated Assurance Levels (EALs), against which products' functions are tested and evaluated. Theseven EALS provide both the vendor and user with flexibility to define functional and assurancerequirements that are unique to their operating environments and to obtain an evaluated productbest suited to those needs.
Hardware and software companies around the world use the Common Criteria (CC) evaluation program to provide a means of comparison for the level of assurance that their products provide. As acautionary note, while the evaluation program is very effective at validating a manufacturer’s claims,it does not measure the overall security capabilities or vulnerabilities as a whole. Therefore, CommonCriteria certification should be one of many considerations when choosing security-related productsinstead of being considered the de-facto standard.
Section 5 — Canon Solutions and Regulatory Requirements
Since initially introduced, the highly successful Canon imageRUNNER/imagePRESS series of deviceshave rapidly grown in both the breadth and depth of features and functions. With each release, thesedevices have become increasingly integrated within the IT and network infrastructure. As with anynetworked device, imaging and printing devices must be included within the broader context of thecompany’s overall security strategy to ensure the confidentiality, integrity and availability ofinformation.
To meet the need for a comprehensive and customizable security solution for any environment,Canon imageRUNNER/imagePRESS devices offer a robust set of standard features and optionalcomponents. When properly deployed, an imageRUNNER/imagePRESS device can be effectivelyprotected against vulnerabilities from either malicious or unintentional use. Combined with advanced monitoring and management tools for auditing and centralized administration, Canon imageRUNNER/imagePRESS devices can meet the demand for increased productivity and strong security.
As corporate privacy goals and regulation guidelines have become stricter, it is important to assessthe level of security that all deployed imaging and printing devices provide. After careful review, existing devices may need to be either upgraded or replaced based on each unique environment.
Canon is committed to the security of mission critical information, and is continually developing newtechnologies to provide a total and reliable solution. For more information, please visithttp://www.usa.canon.com.
Section 6 — Conclusion
28 White Paper: Canon imageRUNNER/imagePRESS Security
The following actions are recommended by Canon as appropriate first steps in securing the CanonimageRUNNER or imagePRESS device for most environments. While these suggestions assist inenhancing device security, internal company security policies should ultimately dictate which securitymeasures are appropriate for implementation within a specific environment.
1. Set the system administrator ID and password2. Disable unused ports and applications (e.g. FTP, RUI)3. Set passwords for MailBoxes4. Restrict printing and RUI access to specific IP or MAC addresses5. Set passwords for Address Book management6. Change the SNMP community strings7. Disable the USB port if unused8. Utilize Optional Hard Disk Drive Erase Kit or Hard Disk Drive Encryption Kit to ensure integrity
of data stored on internal imageRUNNER/imagePRESS Hard Disk Drives9. Enable and configure Department ID to manage user device access permissions on a
departmental or user level10. Monitor the devices using imageWARE EMC
Activation Install Encryption Board LMS License Access KeyDeactivation Uninstall the Board N/AHDD Encryption X (256 Bit, AES) N/AHDD Overwrite – X
Overwrite Pattern –Null: OnceRandom Data: OnceRandom Data: 3 Times
Mail Box Password 7-Digit Password Required X (Local UI Remote UI)Authentication Failure 1 Second UI Lock X (Local UI Remote UI)2x Password Entry at Registration X
System Manager Password7-Digit Password Required – X (Local UI Remote UI)1 Second UI Lock Authentication Failure – X (Local UI Remote UI)Password Initialization in Service Mode – –2x Password Entry at Registration – XScanGear Support X N/A
imageWARE® DM Support X N/AMEAP® X XWeb Access Software Support X XEncryption of Attached File on I–FAX XDisplaying the Security Kit Version Displayed in Device Configuration Screen
imageRUNNER6570/5570/4570/3570/3300/2870/2800/2270/2200(imageRUNNER 5070 is not supported)
Activation LMS License Access KeyDeactivation X (in the Service Mode) N/AHDD Encryption X (168 Bit, TDEA) X (168 Bit, TDEA)HDD Overwrite X X
Overwrite Pattern –Null: OnceRandom Data: OnceRandom Data: 3 Times
Mail Box Password 7-Digit Password Required X (Local UI Remote UI)Authentication Failure 1 Second UI Lock X (Local UI Remote UI)2x Password Entry at Registration X
System Manager Password7-Digit Password Required – X (Local UI Remote UI)1 Second UI Lock Authentication Failure – X (Local UI Remote UI)Password Initialization in Service Mode X –2x Password Entry at Registration – XScanGear Support X N/A
imageWARE® DM Support X N/AMEAP® X XWeb Access Software Support X XEncryption of Attached File on I–FAX – XDisplaying the Security Kit Version – Displayed in Device Configuration Screen
7.2 – Compatibility Charts for Optional Hard Disk Drive Data Erase Kits and Encryption Kits
Security kits with separated encryption and data overwrite functions
Func
tion
s
Security kits with both encryption and data overwrite functions
Data Encryption Kit Data Erase Kit
Security Kit-A Series Security Kit-B Series
X = Feature available – = Does not apply N/A = Not available
Func
tion
s
30 White Paper: Canon imageRUNNER/imagePRESS Security
The information provided in this document is the most current information available at the time of its creation. Canonhereby expressly disclaims all warranties of any kind, express or implied, statutory or non-statutory, in relation to theinformation provided in this document.
In no event shall Canon, Canon’s subsidiaries or affiliates, their licensors, distributors or dealers be liable for any direct,special, consequential, incidental or indirect damages of any kind (including without limitation loss of profits or data orpersonal injury), whether or not Canon, Canon’s subsidiaries or affiliates, their licensors, distributors or dealers havebeen advised of the possibility of such damages, and Canon, Canon’s subsidiaries or affiliates, their licensors, distributors or dealers shall not be liable for any claim against you by a third party arising out of the use or performanceof canon’s products or information referenced herein.
Regulatory Disclaimer:Statements made in this document are the opinions of Canon U.S.A. None of these statements should be construed tocustomers or Canon USA’s dealers as legal advice, as Canon U.S.A. does not provide legal counsel or compliance consultancy, including without limitation, Sarbanes Oxley, HIPAA, GLBA, Check 21 or the USA Patriot Act. Each customermust have its own qualified counsel determine the advisability of a particular solution as it relates to regulatory andstatutory compliance.
1-800-OK CANONwww.usa.canon.com
Canon U.S.A., Inc.One Canon PlazaLake Success, NY 11042
All specifications and availability are subject to change without notice.
